Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Trojan.spambot.pbfrv2 Detected

Started by citiman , Sep 04 2007 10:37 AM

  • This topic is locked This topic is locked
10 replies to this topic

#1 citiman

citiman

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 04 September 2007 - 10:37 AM

Cannot find much on this. Anyone have any ideas.... here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:52 AM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Config\lsass.exe
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [VT100 Emulator] C:\WINDOWS\system32\VT100.EXE
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\frmwrk.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu.exe
O4 - HKLM\..\Run: [salyby] C:\Program Files\MSN Gaming Zone\salyby22011.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\mgcebuow.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Adams\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://diy.retail.st...ivex/msxml4.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://146.82.109.20...tion/msiein.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O16 - DPF: {EDBE48BE-0150-4BD9-9B01-48559B6EE90A} (CWindowsConnectNow Object) - http://support.dlink...ref_activex.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80D48597-AE2A-4D1B-BA99-217A3EC5C0B9}: NameServer = 10.0.0.2
O18 - Protocol hijack: mhtml -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe (file missing)
O23 - Service: SupportAnyPC Service (SupportAnyPC) - Out of the Box Consulting, Inc. - C:\DOCUME~1\Adams\LOCALS~1\Temp\winvnc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

--
End of file - 9257 bytes

    Advertisements

Register to Remove

#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 04 September 2007 - 02:22 PM

Hi! Welcome to the WTT forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#3 citiman

citiman

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 04 September 2007 - 04:31 PM

I can get as far as hitting the save list button then the system totally closes the program down and I have to restart the program. I can see the list but it is not letting me save the list or even asking where I want to save it to. The program closes as soon as I click the save list button. Thanks for the help!

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 05 September 2007 - 02:10 AM

Hi

We will come back to that.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt.back on the forum with a new HijackThis log

You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#5 citiman

citiman

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 05 September 2007 - 07:36 AM

Here are both log files:


SDFix: Version 1.101

Run by Adams on Wed 09/05/2007 at 07:31 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service xpdx - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\3.TMP - Deleted
C:\675135~1 - Deleted
C:\Program Files\InetGet2\popinstall.exe - Deleted
C:\Program Files\WinPop\UnInstall.exe - Deleted
C:\Program Files\WinPop\winpop.exe - Deleted
C:\d.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\retadpu.exe - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\win32.exe - Deleted

Could Not Remove C:\4.TMP
Could Not Remove C:\WINDOWS\system32\xpdx.sys

Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\WinPop - Removed
Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------


Rootkit xpdx Found, Use a Rootkit scanner !

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"="C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe:*:Disabled:pcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Disabled:pcAnywhere Remote Service"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTyrant\\Azureus.exe"="C:\\Program Files\\BitTyrant\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Disabled:Flashget"
"C:\\WINDOWS\\system32\\VT100.EXE"="C:\\WINDOWS\\system32\\VT100.EXE:*:Enabled:VT100 Emulator"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------
C:\3.TMP Found
C:\4.TMP Found
C:\WINDOWS\system32\xpdx.sys Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Adams\NetHood\www.adamsfh.com\Desktop.ini
C:\Documents and Settings\Adams\NetHood\www.blountstownfbc.com\Desktop.ini
C:\Documents and Settings\Adams\NetHood\www.dannyryalsrealestate.com\Desktop.ini
C:\Documents and Settings\Adams\NetHood\www.deerplainclub.com\Desktop.ini
C:\Documents and Settings\Adams\NetHood\www.luxury-travels.com\Desktop.ini
C:\GQWIN\WGRADE4.DLL
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\ntoskrnl.exe
C:\WRI4.SYS
C:\WINDOWS\system32\664CD74154.sys
C:\WINDOWS\system32\KGyGaAvL.sys

Finished



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:17 AM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\frmwrk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\My Downloads\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Adams\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://diy.retail.st...ivex/msxml4.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://146.82.109.20...tion/msiein.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O16 - DPF: {EDBE48BE-0150-4BD9-9B01-48559B6EE90A} (CWindowsConnectNow Object) - http://support.dlink...ref_activex.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80D48597-AE2A-4D1B-BA99-217A3EC5C0B9}: NameServer = 10.0.0.2
O18 - Protocol hijack: mhtml -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe (file missing)
O23 - Service: SupportAnyPC Service (SupportAnyPC) - Unknown owner - C:\DOCUME~1\Adams\LOCALS~1\Temp\winvnc.exe (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

--
End of file - 9704 bytes

Thanks!

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 05 September 2007 - 07:47 AM

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#7 citiman

citiman

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 05 September 2007 - 08:52 AM

Doing the first scan closed the program and restarted the computer so I did the scan again and copied all this before the computer rebooted itself.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-05 09:23:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.13 ----

? C:\WINDOWS\system32\xpdx.sys The system cannot find the file specified.
.text ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\System32\wbem\wmiprvse.exe[492] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[492] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[492] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[492] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\explorer.exe[548] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\explorer.exe[548] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\explorer.exe[548] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\explorer.exe[548] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\system32\winlogon.exe[800] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\system32\winlogon.exe[800] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\system32\winlogon.exe[800] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\system32\winlogon.exe[800] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\system32\services.exe[844] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\system32\services.exe[844] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\system32\services.exe[844] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\system32\services.exe[844] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\system32\lsass.exe[856] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF92849
.text C:\WINDOWS\system32\lsass.exe[856] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF9289D
.text C:\WINDOWS\system32\lsass.exe[856] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF928AA
.text C:\WINDOWS\system32\lsass.exe[856] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF92896
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\System32\svchost.exe[1484] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\System32\svchost.exe[1484] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\System32\svchost.exe[1484] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\System32\svchost.exe[1484] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\My Downloads\gmer.exe[1816] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\My Downloads\gmer.exe[1816] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA289D
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA28AA
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896
.text C:\My Downloads\gmer.exe[1952] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA2849
.text C:\My Downloads\gmer.exe[1952] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA2896

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00404203
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004041C5
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00404192
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0040B490
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0040B777
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0040B7D2
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 0040B7D2
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 0040B777
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0040B490
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0040B74B
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0040B777
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0040B7A3
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[492] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0040B7D2
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00054203
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 000541C5
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00054192
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0005B490
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0005B777
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0005B7D2
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 0005B7D2
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 0005B777
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0005B490
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0005B74B
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0005B777
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0005B7A3
IAT C:\WINDOWS\system32\services.exe[844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0005B7D2
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B74203
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B741C5
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B74192
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00B74203
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00B74203
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00B741C5
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B7B490
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00B7B777
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00B7B7D2
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 00B7B7D2
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 00B7B777
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B7B490
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 00B7B74B
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00B7B777
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00B7B7A3
IAT C:\WINDOWS\system32\lsass.exe[856] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00B7B7D2
IAT C:\WINDOWS\system32\svchost.exe[1008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00C14192
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00894203
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 008941C5
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00894192
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0089B490
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0089B777
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0089B7D2
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 0089B7D2
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 0089B777
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0089B490
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0089B74B
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0089B777
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0089B7A3
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0089B7D2
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 01034203
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 010341C5
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01034192
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0103B490
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0103B777
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0103B7D2
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 0103B7D2
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 0103B777
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0103B490
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0103B74B
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0103B777
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0103B7A3
IAT C:\WINDOWS\system32\svchost.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0103B7D2
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 01A34203
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 01A341C5
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01A34192
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 01A3B490
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 01A3B777
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 01A3B7D2
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 01A3B7D2
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 01A3B777
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 01A3B490
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 01A3B74B
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 01A3B777
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 01A3B7A3
IAT C:\WINDOWS\System32\svchost.exe[1420] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 01A3B7D2
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00884203
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 008841C5
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00884192
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0088B490
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0088B777
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0088B7D2
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 0088B7D2
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 0088B777
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0088B490
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0088B74B
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0088B777
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0088B7A3
IAT C:\WINDOWS\System32\svchost.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0088B7D2
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 006B4203
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 006B41C5
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 006B4192
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 006BB490
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 006BB777
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 006BB7D2
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 006BB7D2
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 006BB777
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 006BB490
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 006BB74B
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 006BB777
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 006BB7A3
IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 006BB7D2
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00134203
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001341C5
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134192
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0013B490
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0013B777
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0013B7D2
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!PeekMessageW] 0013B7D2
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetMessageW] 0013B777
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 0013B490
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0013B74B
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0013B777
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0013B7A3
IAT C:\My Downloads\gmer.exe[1816] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0013B7D2
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00BD4203
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00BD41C5
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00BD4192
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 00BDB7D2
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 00BDB777
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00BDB490
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 00BDB74B
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00BDB777
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00BDB7A3
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00BDB7D2
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00BDB490
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00BDB777
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1940] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00BDB7D2
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00134203
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001341C5
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134192
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0013B490
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0013B777
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0013B7D2
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!PeekMessageW] 0013B7D2
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetMessageW] 0013B777
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 0013B490
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0013B74B
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0013B777
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0013B7A3
IAT C:\My Downloads\gmer.exe[1952] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0013B7D2

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F79620B7] xpdx.sys



Here is the other file:

GMER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-09-05 09:44:44
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
awvtu@DLLName = C:\WINDOWS\system32\awvtu.dll
efcbxxx@DLLName = efcbxxx.dll /*file not found*/
PCANotify@DLLName = PCANotify.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice /*Ad-Aware 2007 Service*/@ = "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
Automatic LiveUpdate Scheduler /*Automatic LiveUpdate Scheduler*/@ = "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Crypkey License /*Crypkey License*/@ = crypserv.exe
MSSQL$ACT7 /*MSSQL$ACT7*/@ = C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 /*file not found*/
RemoteRegistryxmlprov /*Remote Registry RemoteRegistryxmlprov*/@ = C:\WINDOWS\system32\adsldpr.exe srv
ScsiAccess /*ScsiAccess*/@ = C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe /*file not found*/
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
SSDPSRVRSVP /*SSDP Discovery Service SSDPSRVRSVP*/@ = C:\WINDOWS\system32\advpack.dllz.exe srv
wfxsvc /*WinFax PRO*/@ = C:\WINDOWS\System32\WFXSVC.EXE
wuauservCryptSvc /*Automatic Updates wuauservCryptSvc*/@ = C:\WINDOWS\system32\acluib.exe srv
xmlprovSupportAnyPC /*Network Provisioning Service xmlprovSupportAnyPC*/@ = C:\WINDOWS\system32\adsndsr.exe srv

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@WFXSwtchC:\PROGRA~1\WinFax\WFXSWTCH.exe = C:\PROGRA~1\WinFax\WFXSWTCH.exe
@WinFaxAppPortStarterwfxsnt40.exe = wfxsnt40.exe
@NeroCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@StatusClient 2.6C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto /*file not found*/ = C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto /*file not found*/
@TomcatStartup 2.5C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe = C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
@Acrobat Assistant 7.0"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
@VT100 EmulatorC:\WINDOWS\system32\VT100.EXE = C:\WINDOWS\system32\VT100.EXE
@Windows FrameworkC:\DOCUME~1\Adams\LOCALS~1\Temp\frmwrk.exe = C:\DOCUME~1\Adams\LOCALS~1\Temp\frmwrk.exe
@salybyC:\Program Files\MSN Gaming Zone\salyby22011.exe = C:\Program Files\MSN Gaming Zone\salyby22011.exe
@SystemOptimizerrundll32.exe "C:\WINDOWS\system32\rjdlrfof.dll",forkonce = rundll32.exe "C:\WINDOWS\system32\rjdlrfof.dll",forkonce
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@userinitC:\WINDOWS\system32\ntos.exe = C:\WINDOWS\system32\ntos.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{A213B520-C6C2-11d0-AF9D-008029E1027E}C:\Program Files\WinFax\WfxSeh32.Dll = C:\Program Files\WinFax\WfxSeh32.Dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
@{F4002052-AB29-4B33-8C8D-0E99084564EC}C:\WINDOWS\system32\efcbxxx.dll /*file not found*/ = C:\WINDOWS\system32\efcbxxx.dll /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Program Files\Microsoft Office\Office\soa800.dll = C:\Program Files\Microsoft Office\Office\soa800.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpoweramp Music Converter*/C:\Program Files\Illustrate\dBpoweramp\dMCShell.dll = C:\Program Files\Illustrate\dBpoweramp\dMCShell.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
FineReader@{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F} = c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
MP3ToWave@{DC6FA7E0-6666-11D5-8CE2-444553540000} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{108F534D-DF89-453b-83E3-B12EBD5F0191}cupid1.dll = cupid1.dll
@{36cd15f1-07b3-4b16-b115-cf7203ea4703}C:\WINDOWS\system32\ljbtxyn.dll = C:\WINDOWS\system32\ljbtxyn.dll
@{56B60839-C8B2-4543-B818-9977CF946511}C:\WINDOWS\system32\awvtu.dll = C:\WINDOWS\system32\awvtu.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
@{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}C:\WINDOWS\system32\wbwrycth.dll = C:\WINDOWS\system32\wbwrycth.dll
@{F096F83E-CF5B-4A18-1C8F-10707D3E8B65}C:\Program Files\Messenger\wopu.dll = C:\Program Files\Messenger\wopu.dll
@{F4002052-AB29-4B33-8C8D-0E99084564EC}C:\WINDOWS\system32\efcbxxx.dll /*file not found*/ = C:\WINDOWS\system32\efcbxxx.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssstars.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = /*file not found*/
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80D48597-AE2A-4D1B-BA99-217A3EC5C0B9} /*Local Area Connection*/ >>>
@IPAddress192.168.0.136 = 192.168.0.136
@NameServer10.0.0.2 = 10.0.0.2
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Acrobat Speed Launcher.lnk = Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
QuickBooks 2002 Delivery Agent.lnk = QuickBooks 2002 Delivery Agent.lnk

---- EOF - GMER 1.0.13 ----

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 05 September 2007 - 10:21 AM

Hi

Unfortunately your log shows signs of a rootkit being present on your system.This means your PC is at risk now and sadly may always be.
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.

Rootkits may also have what is known as a backdoor.The backdoor, if present, will give complete remote access to your system.This means someone will be able to steal any information stored on your PC including addresses, names and telephone numbers and more worryingly passwords, bank account details and any other financial information, basically they will have access to any data that you do.

At this point you have 2 options :-

OPTION 1

We attempt to remove the rootkit but will never really know if it is completely removed which means all the above applies.
There will be no guarantees with this option.

OPTION 2

We reformat your system.
This will destroy the rootkit but means you will have to reinstall everything.

My advice would be OPTION 2 It is the only safe, effective and positive way of dealing with this type of infection.
It will also be much quicker to reformat/reinstall than to attempt the removal.

I would like you to read the information over and when you have decided which option to choose post back and I will gladly assist with what ever route you choose to take.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#9 citiman

citiman

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 05 September 2007 - 10:30 AM

I will go with option 2. I have all my data backed up so It looks like that will be my best bet. I can handle reformating and reinstalling. Can this sort of thing happen as a downloaded infected file or is it more like someone found an open port in my network and exploited it?

#10 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 05 September 2007 - 12:31 PM

The Rustock rootkit tends to come from downloaded files, I believe. It would be a good idea to scan your backups before installing when you are up and running again, just in case something is infected there.
Im sorry I couldnt be more help but timewise you would be far quicker going for option 2.

Here are some security recommendations.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"


Follow this list and your potential for being infected again will reduce dramatically.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#11 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 05 September 2007 - 01:38 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·